Upgrade to 1.8.18

[Ashley1]

I am getting this

Fatal error: Uncaught Error: Call to undefined function my_hash_equals() in /usr/.../inc/functions_forumlist.php:145 Stack trace: #0 /usr/.../inc/functions_forumlist.php(154): build_forumbits('1', 2) #1 /usr/..../index.php(421): build_forumbits() #2 {main} thrown in /usr/..../inc/functions_forumlist.php on line 145

on my test board upgrading from .17 to .18

Does anyone else get the same ?

[Wires]

This issue has been pushed to GitHub already - https://github.com/mybb/mybb/issues/3409. It looks like the changes are going to be reverted.

[Euan T]

Hi, I've pushed a PR for this but haven't had time to test it: https://github.com/mybb/mybb/pull/3413

[Ashley1]

Notwithstanding this error, for those with custom themes, these are the notes I made while testing on my test board:

These are the templates that you need to go check against the default ones and make changes accordingly:

editpost
error_nopermission
forumdisplay_inlinemoderation
member_lostpw
newreply
newthread
post_attachments_new
post_javascript
postbit_edit
postbit_multiquote
postbit_quickdelete
postbit_quickrestore
postbit_quote
private_send_autocomplete
search_results_posts_inlinemoderation
search_results_threads_inlinemoderation
showthread
showthread_inlinemoderation
showthread_printthread
showthread_ratethread

also global.css adds at approx line 1330

.postbit_qrestore,
.status_type{
display:none!important;
}

.deleted_post .postbit_qrestore,
.deleted_post .status_type{
display:inline!important;
}

.deleted_post .postbit_mirage{
display:none!important;
}

[Euan T]

Note that the above templates are also listed in the release notes: https://mybb.com/versions/1.8.18/

[Ashley1]

Hi, I've pushed a PR for this but haven't had time to test it: https://github.com/mybb/mybb/pull/3413

I have applied these changes (5 files) and the errors have disappeared.

[gimbal]

Forgive my ignorance - is it recommended that everyone change the 5 files posted by Euan on github, and also add the code to global.css, after running the 1.8.18 upgrade script?? Will you be making these changes part of the update files that are downloaded and installed, or upgrade script?

[Wires]

Bare in mind that the changes made by Euan (in the PR) may still needing testing as with most (if not all) other PRs. The changes made will be merged into 1.8.19 and released as an Upgrade. As the changes do not alter the database this PR is as simple as just overwriting the old files. The upgrade script is used to make changes to the database.

[Serpius]

Hi, I've pushed a PR for this but haven't had time to test it: https://github.com/mybb/mybb/pull/3413

I have applied these changes (5 files) and the errors have disappeared

I'm not a coder, so can you give me (and others) the incorrect lines with the corrected lines in the appropriate files?
Like a 'Before Correction' and 'After Correction' kind of thing.

[Wires]

Add the following to ../inc/functions.php:

 /**
 * Performs a timing attack safe string comparison.
 *
 * @param string $known_string The first string to be compared.
 * @param string $user_string The second, user-supplied string to be compared.
 * @return bool Result of the comparison.
 */
function my_hash_equals($known_string, $user_string)
{
 if(version_compare(PHP_VERSION, '5.6.0', '>='))
 {
 return hash_equals($known_string, $user_string);
 }
 else
 {
 $known_string_length = my_strlen($known_string);
 $user_string_length = my_strlen($user_string);
 if($user_string_length != $known_string_length)
 {
 return false;
 }
 $result = 0;
 for($i = 0; $i < $known_string_length; $i++)
 {
 $result |= ord($known_string[$i]) ^ ord($user_string[$i]);
 }
 return $result === 0;
 }
} 

In ../inc/functions_archive.php, find the following (around line 264):

 if(!$mybb->cookies['forumpass'][$fid] || ($mybb->cookies['forumpass'][$fid] && !my_hash_equals(md5($mybb->user['uid'].$password), $mybb->cookies['forumpass'][$fid])))

Replace with:

 if(!isset($mybb->cookies['forumpass'][$fid]) || !my_hash_equals(md5($mybb->user['uid'].$password), $mybb->cookies['forumpass'][$fid]))

In ../inc/functions_forumlist.php, find the following (around line 145):

if($forum['password'] != '' && !my_hash_equals($mybb->cookies['forumpass'][$forum['fid']], md5($mybb->user['uid'].$forum['password'])))
{
    $hideinfo = true;
    $showlockicon = 1;
}

Replace with:

 if($forum['password'])
{
 if(!isset($mybb->cookies['forumpass'][$forum['fid']]) || !my_hash_equals($mybb->cookies['forumpass'][$forum['fid']], md5($mybb->user['uid'].$forum['password'])))
  {
 $hideinfo = true;
 $showlockicon = 1;
 }
}

In ../inc/functions_search.php, find the following (around line 128):

 if(!my_hash_equals($mybb->cookies['forumpass'][$forum['fid']], md5($mybb->user['uid'].$forum['password'])))

Replace with:

 if(!isset($mybb->cookies['forumpass'][$forum['fid']]) || !my_hash_equals($mybb->cookies['forumpass'][$forum['fid']], md5($mybb->user['uid'].$forum['password'])))

In ../inc/functions_user.php, find and remove the following:

/** 
 * Performs a timing attack safe string comparison. 
 * 
 * @param string $known_string The first string to be compared. 
 * @param string $user_string The second, user-supplied string to be compared. 
 * @return bool Result of the comparison. 
 */ 
function my_hash_equals($known_string, $user_string) 
{ 
 if(version_compare(PHP_VERSION, '5.6.0', '>=')) 
 { 
 return hash_equals($known_string, $user_string); 
 } 
 else 
 { 
 $known_string_length = my_strlen($known_string); 
 $user_string_length = my_strlen($user_string); 
 if($user_string_length != $known_string_length) 
 { 
 return false; 
 } 
 $result = 0; 
 for($i = 0; $i < $known_string_length; $i++) 
 { 
 $result |= ord($known_string[$i]) ^ ord($user_string[$i]); 
 } 
 return $result === 0; 
 } 
}